GitHub Advisory DatabaseGHSA-58JX-F5RF-QGQFUser account escalation in Apache Hadoop
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
0.003 Low
EPSS
Percentile
69.6%
In Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1, a user who can escalate to yarn user can possibly run arbitrary commands as root user. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher.
References
www.openwall.com/lists/oss-security/2022/06/15/2
github.com/advisories/GHSA-58jx-f5rf-qgqf
github.com/apache/hadoop/commit/227d64ab59e8aa6477769b2542ad0cd7a6d855cb
github.com/apache/hadoop/commit/45801fba8b00257ab32c02a7d1a05948ba687a49
github.com/apache/hadoop/commit/ba041fe6d34215f075e0a7b2078d7273147e14b7
lists.apache.org/thread/ctr84rmo3xd2tzqcx2b277c8z692vhl5
nvd.nist.gov/vuln/detail/CVE-2021-33036
security.netapp.com/advisory/ntap-20220722-0003/
Related
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
0.003 Low
EPSS
Percentile
69.6%